We have applied the following access list to our Cisco 2501. The
Cisco is our router to the Internet.
This is an inbound filter.
I understand that this is a liberal filter, however we have other
protections such as another router between this one and sensitive
networks and run pieces of the fwtk, tcp_wrappers, tcpsuck and
udpsuck and stuff like that on all of the machines that are
accessable from the Internet. I like the additional logging that
this stuff provides. That said the part of our network that this
list protects is "outside the firewall" so to speak.
What might be the performance impact of the filters below?
How can I figure out the actual performance impact?
Can anyone see any errors in the below excerpt from our
configuration?
! Prevent IP spoofing
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 198.105.96.0 0.0.7.255 any log
! Prevent access to unprotected services
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq netbios-ns log
access-list 100 deny tcp any 198.105.96.0 0.0.7.255 eq 139 log
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq snmp log
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq snmptrap log
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq syslog log
access-list 100 deny tcp any 198.105.96.0 0.0.7.255 eq 515 log
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq 1645 log
access-list 100 deny udp any 198.105.96.0 0.0.7.255 eq 1646 log
access-list 100 deny tcp any 198.105.96.0 0.0.7.255 eq 8080 log
! Allow everything else.
access-list 100 permit ip any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
--
Eric Wieling
Network Operations Center
Inter Commerce Corporation
Technical Support: 504-525-1868
Administrative: 504-585-7303
Follow-Ups:
|
|
